: ISO/IEC , Information technology – Security techniques – Management of information and communications technology security – Part. Title: ISO/IEC – Information technology — Security techniques — Management of information and communications technology security — Part 1. International Organization for Standardization’s (ISO)  standards and guides for conformity The ISO/IEC  standard is dedicated in providing.
|Published (Last):||26 September 2009|
|PDF File Size:||14.37 Mb|
|ePub File Size:||4.5 Mb|
|Price:||Free* [*Free Regsitration Required]|
Part 1 focuses its attention on concepts and models for managing the planning, implementation and operations of ICT security. New or changed security components should be tested separately to ensure that they operate as intended, and then tested in the operational environment, to ensure that the integration into the ICT system does not impact the security properties or features.
Figure 4 shows an example of the relationships between the corporate ICT security officer, the ICT security forum and the representatives from other areas within the organization, such as other security functions, the user community, and ICT personnel.
Concepts et modeles pour la gestion de la securite des technologies de l’information et des communications.
Furthermore, a programme for security awareness and training should be developed and implemented to communicate these responsibilities. However, the same software virus on a network based file server may have widespread impact. Often, several safeguards are required to reduce the residual risks to an acceptable level.
ISO/IEC Standard — ENISA
Each of these phases relates to ICT security in the following way: It should also contain details of the particular security requirements and safeguards to be implemented and procedures on how to use safeguards correctly to ensure adequate security.
The ICT security process is itself a major cycle of activities and should be integrated into all phases of the ICT system lifecycle. Threats may be of environmental or human origin and, in the latter case, may be either accidental or deliberate. Part of judging whether the security is appropriate to the needs of the organization is the acceptance of the residual risk.
Quantitative and qualitative measurements of impact can be achieved in a number of ways, such as: This website is best viewed with browser version of up to Microsoft Internet Explorer 8 or Firefox 3.
BS ISO/IEC 13335-1:2004
For example, some cultures consider the protection of personal information as very important while others give a lower significance to this issue. Standard containing generally accepted descriptions of concepts and models for information and communications technology security management.
Examples of possible delegated functions are as follows: The corporate ICT security policy should address the following general areas: If, for example, some important or very important components of the business are dependent on accurate or up-to-date information, then one of the ICT security objectives of this organization may be to ensure the integrity and timeliness of the information as it is stored and processed in the ICT systems.
This person would typically be the corporate ICT security officer, who amongst other things should be responsible for the follow-up activities. Government and commercial organizations rely heavily on the use of information to conduct their business activities.
The implemented safeguards then reduce the risk, protect against threats and indeed can reduce vulnerabilities. As discussed earlier in this clause, the results of previous risk assessment reviews, security compliance checking and information security incidents may have an effect on the corporate ICT security policy.
The role of a corporate ICT security officer includes: The impact is first determined regardless of which threats might occur to cause the impact, to be sure of identifying the real values.
Concepts and models for information and communications technology security management Source reference: ICT security requirements should be integrated into the processes by which systems are designed, developed, purchased, upgraded or otherwise constructed.
The faster, easier way to work with standards. It is measured in terms of a combination of the probability of an event and its consequence 2. Users of Indian Standards should ascertain that they are in possession of the latest amendments or edition by referring to the latest issue of ‘BIS Catalogue’ and ‘Standards: Protection should be ensured throughout 1335-1 life cycle of information and ICT systems, from planning to acquisition, testing and operation.
Risk is never completely eliminated.
The information security policy may contain the principles and directives specific to the protection of information that is sensitive or valuable, or otherwise of importance, to the organization.
Appropriate assignment and demarcation of accountability and specific roles and responsibilities should ensure that all important tasks are accomplished and that they are performed in an effective and efficient way. No part of the these publications may be reproduced in any form without the prior permission in writing of BIS. An assessment of residual risk is then isoo to determine whether the assets are adequately protected.
In some instances the government is considered to be responsible and discharges this responsibility by the enactment and enforcement of laws.
Organizational management is responsible for securing assets. Integration of the security requirements into these activities ensures cost-effective security features are included in systems at the appropriate ixo and not afterwards. Some threats may be general to the surrounding environment in a particular location in which a system or organization exists, for example, damage to buildings from hurricanes or lightning.
When 133351- are combined it is important to ensure that the appropriate checks and balances are maintained to avoid concentrating too much responsibility in one person’s hands without having the possibility of influence or control. Accept and continue Learn more about the 31335-1 we use and how to change your settings. Figure 3 shows a sample of a possible hierarchical relationship of policies. These relationships may be line management or functional.